Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UCLA Hospital Hit With HIPAA Fine On Celeb Records

timothy posted more than 3 years ago | from the easier-than-getting-madonna's-pap-smear dept.

Government 57

Trailrunner7 writes "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. This is the third major HIPAA fine issued by the Department of Health and Human Services in 2011, following a fine of $4.3 million for Cignet and a penalty of $1 million for Massachusetts General Hospital."

Sorry! There are no comments related to the filter you selected.

Is that news? (0)

spaceplanesfan (2120596) | more than 3 years ago | (#36703998)

With enough money/power you can buy anything.

So, if you are an papatatzi, and have loads of money, no security or whatever privacy rules are would stop you from sniffing the hot facts.
Or if you are government and you just pass a law that allows you to spy on anybody without any prior reason.

Re:Is that news? (0)

Anonymous Coward | more than 3 years ago | (#36704114)

What is a papatatzi?

Re:Is that news? (1)

ColdWetDog (752185) | more than 3 years ago | (#36704166)

What is a papatatzi?

Paparazzi with a tattoo?

Information wants to be FREE (2)

For a Free Internet (1594621) | more than 3 years ago | (#36704042)

Why is the government stopping us from following our dear stares? What do they have to hide? Probably druges and buttesex.

Pledged to tweak their infrastructure (1)

shoehornjob (1632387) | more than 3 years ago | (#36704054)

Sounds like hospital speak for slap a band aid on it and hope they don't get caught again.

Re:Pledged to tweak their infrastructure (0)

Anonymous Coward | more than 3 years ago | (#36704106)

Well, I'd imagine it's a hard thing to fix. Someone accessed medical journals without a valid purpose? OK, insert at all terminals a brain scanner to detect whether the accesser has a valid purpose or not.

Re:Pledged to tweak their infrastructure (4, Insightful)

ethanms (319039) | more than 3 years ago | (#36704122)

I was thinking it sounds like "fire those involved and make it very clear too all remaining employees that those involved were fired and are unlikely to get another job in the medical field after being terminated for a HIPPA violation...

Re:Pledged to tweak their infrastructure (1)

ethanms (319039) | more than 3 years ago | (#36704126)

ugg... to...

Re:Pledged to tweak their infrastructure (2)

NeoMorphy (576507) | more than 3 years ago | (#36704272)

I agree!

I work at a health insurance company and everyone in the company was required to take HIPPA training. It was very thorough, and I assume everyone else in the Health Industry had to go through something similar. On top of that, the pharmacy reminds you of it and whenever I see a new doctor I get to read yet more documentation regarding HIPPA and then sign it.

The employees involved should have known they were doing something that was that was not only illegal, but that it would endanger their career.

If you think about it, there is a lot of private data that is ultimately protected by people acting professionally and not disclosing that information to the wrong people. There is no way to proactively stop that, other than hiring the right people, doing background checks, and impressing upon them the importance of following the rules regarding privacy.

Re:Pledged to tweak their infrastructure (1)

scottv67 (731709) | more than 3 years ago | (#36704512)

>HIPPA training
>regarding HIPPA

The training must not have been very good if you did not learn how to spell the acronym.

Re:Pledged to tweak their infrastructure (2)

NeoMorphy (576507) | more than 3 years ago | (#36704594)

Argghhh!

My apologies, you are correct.

HIPAA(Health Insurance Portability and Accountability Act)

For some reason I often think "Health Insurance Portability and Privacy Act", which seems more appropriate. There is a lot of emphasis on privacy, and yet it's not in the acronym. I must confess that remembering what the acronym stood for was a question I got wrong, but I got the rest right.

Re:Pledged to tweak their infrastructure (1)

shoehornjob (1632387) | more than 3 years ago | (#36704544)

Hmm... I think you just saved the company money by not putting a bandaid on the situation. Imagine if they actually had to rewrite some software to lock access to records etc. You're right, termination does work better.

Re:Pledged to tweak their infrastructure (0)

Anonymous Coward | more than 3 years ago | (#36705240)

Hospitals don't write the software they use to manage paper records, they purchase that software from vendors like Epic, Cerner, Siemens, McKesson, Meditech, and others.

Regarding employees looking at records, it depends on the employee what their access is. Housekeeping can't see the records, but any admitting clerk authorized to register a patient can see patients in the system (but likely not their medical record). But any doctor, nurse, medical technician, or medical records person can see any record because their job requires that they use them. So locking records would require much more complexity than you might think. For example, if a consultation by an infectious disease doctor on call is requested, the person requesting the consultation may not know who's on call, so how can that be authorized? Additionally, in the event of a medical emergency, any person might need access to the record to provide emergency care.

Note that the people who violated the HIPAA regulations were caught because these systems have logs which show who views the records.

Re:Pledged to tweak their infrastructure (1)

SonnyDog09 (1500475) | more than 3 years ago | (#36708934)

The punishment depends on who you are. Clerks get fired. Nurses may get fired, depending on whether they are in a Union or not. They may also be suspended without pay. It varies. The last time that I really looked at this, I could not find a case of a doctor a being fired for a HIPAA (yes, that is the acronym....it has nothing to do with hippos) violation. They might be suspended without pay.

Shocked, shocked I tell you! (4, Insightful)

overshoot (39700) | more than 3 years ago | (#36704080)

Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

Re:Shocked, shocked I tell you! (0)

Anonymous Coward | more than 3 years ago | (#36704112)

Anyone who accesses the information must have a justifiable reason for having done so. For example in Ireland some woman won 118 million euro on the Eurolottery and 108 accesses were made to find information on her at a government agency. Nothing ever happened.

Re:Shocked, shocked I tell you! (1)

Dilaudid (574715) | more than 3 years ago | (#36705066)

This all seems pretty simple. You record every access, all accesses will be audited at a later stage by an oversight committee. 99% of cases are automatically handled (e.g. doctor accessing records for his patient day after admission) but cases which are not clear are reviewed. Any employee who accesses records has to explain his rationale for doing so. If the rationale doesn't hold up, they are disciplined / sacked. A warning explaining this comes up when you try to access records. I would imagine the guarantee of losing your job would curtail the curiosity of most nosy employees, and while the sacking might be post-hoc, their apprehension will be before the fact.

Re:Shocked, shocked I tell you! (1)

Anonymous Coward | more than 3 years ago | (#36705654)

As somebody who works in the medical record field as a 'consultant', this is grossly impractical.

Records get accessed hundreds of times a day by hundreds of people for all sorts of reasons. It be a full time effort by a good sized team of people to even begin to look into the audit logs.

Now any good EMR suite will allow the locking of sensitive records which prevents unauthorized access such as this. However, they typically will allow a 'break the glass' scenario where anybody CAN access the record in an emergent situation, but that access is reported immediately to a supervisor.

Either way, there are already partial solutions to this sort of thing, but there is just too much data to manage manually. Plus the real sensitive information like SS numbers, addresses, etc, are so easily accessible without even technically looking at the record with zero accountability. Lots of paper floating around still too. Basically the only solution is good training, good people, and strong policy when the first two are ineffective. No different than anything else.

Re:Shocked, shocked I tell you! (2)

Mindcontrolled (1388007) | more than 3 years ago | (#36704168)

Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

Scope matters (1)

overshoot (39700) | more than 3 years ago | (#36704236)

I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine.

You can access the sealed filings from cases all across the country?

No? Maybe that makes a difference.

Re:Scope matters (1)

Mindcontrolled (1388007) | more than 3 years ago | (#36704344)

Ok, you got a point there - Obviously I can only access stuff inside the firm. But then again, would it really change anything? In the end, it remains a matter of my professional obligation and honor to keep my mouth shut.

Re:Scope matters (1)

TheGratefulNet (143330) | more than 3 years ago | (#36704346)

You can access the sealed filings from cases all across the country?

if he's lulzsec, I bet he could...

Re:Scope matters (1)

unkiereamus (1061340) | more than 3 years ago | (#36706570)

You can access the sealed filings from cases all across the country?

No? Maybe that makes a difference.

I don't see the relevance here.

The only thing I can figure, is that you have a vastly distorted view of EMR. I think a uncomfortably large portion of the populace has b\ought the shit that Siemens is shoveling in their ads.

There isn't a vast network spanning the country of EMRs that can be accessed by anyone connected to it. Not ever spanning a city (with limited exceptions). Each hospital/dr office/whatever has their own system, with their own records. I can't work at SmallRegionalHospital and access the UCLA system,at best (And this is something of a stretch for most EMR systems), I might be able to access the records of SmallRegionalHospital'sOutreachClinic.

Now, I've never worked for one of the huge healthcare corporations, so I don't know whether all of their EMR systems are linked, but I'm tempted to think that they aren't.

Why?

HIPAA.

Re:Shocked, shocked I tell you! (1)

Jawnn (445279) | more than 3 years ago | (#36705224)

Well, generally, why shouldn't the files be open to every medical employee? They are bound to silence, anyway. I work at a law firm, and I can review cases that are not my own, too - as long as I don't go off and blabber about it in the next bar or to the next journalist, that's fine. You can learn from cases that are not your own, after all. Of course, the assumption that everyone will honor their obligation to silence is a bit far-fetched, I give you that. But post hoc the one that talked should be slapped, not the institution.

Well said, and artfully argued, I might add. It should be pointed out that since almost forever, medical records have lived on paper in large, poorly secured rooms. Audit trails, if they existed at all, were little more than a sign in sheet by the door. The breach that was caught and dealt with in this case would likely have gone undetected, or the perpetrators un-identified at least, before the advent of EMR. Then again, I did work in one hospital where the records of a certain class of patients were considered exceptionally sensitive and received an additional layer of security. It might be argued that the medical records of "celebrities" deserve a similar level of security. No one is likely to bribe a file clerk for access to the file on "Joe the shoe salesman", but Brittney Spears? All the time. Not that our fascination, as a society, with such celebrity details isn't sick in itself, but that's another discussion.

Re:Shocked, shocked I tell you! (3, Interesting)

Saerko (1174897) | more than 3 years ago | (#36704262)

Part of the system's design requirement is that caregivers should be able to access the records of an unresponsive patient. You know, the "found unconscious at an out-of-town auto wreck" scenario. And that's a worthy objective.

Trouble is, it also means that ANY medical personnel, anywhere, have to have access to everyone's medical records. Obvious potential for abuse, so all of the protections have to be post hoc.

I'm not sure I'm all in for that statement. Almost all EMRs these days have pretty robust security controls, and it's rare that celebrity patients come in on unplanned visits where that "all access" kind of response is necessary. Where it is, it's usually handled in the ED, where the expectation of privacy is necessarily low. In the case that the patient is a regular admission, a pre-admit for a procedure/care, or anything other than getting hit by a bus or other trauma, there are well-established practices that protect their identity.

For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group. For all intents and purposes, she was well protected.

The problem came in when billing entered the picture. You can't bill against a pseudonym, and the local papers broke the story soon after she delivered. Once she left the hospital, her pseudonym was replaced by her real name, and her chart was promptly accessed over 200 times by various personnel across the hospital. In the next week, five people were fired outright for unauthorized access, and about a dozen put on disciplinary action because we couldn't fully prove that their access was unnecessary, if suspect. In an ideal world, the system would have been able to bill out under the pseudonym with the identity correction occurring downstream, but people still talk and the cover would get blown eventually anyway.

Does this anecdote have a point? I'd like to think so: it's that there's only so much mitigation you can do, but a lot of hospitals and EMR vendors could certainly do more. There will always be people like me who have god-like access by necessity though, and as long as that exists, there will always be the potential for abuse and information leaks. I think the real benefit of electronic systems is that, previously, if someone absconded with the paper chart, there was no way to tell who accessed it. Even I leave entries in the logs, and there's pretty close to no way to effectively "leave no trace" of my presence in the system. The biggest benefit of modernization is accountability, but real privacy is a pipe dream that people need to abandon.

get rid the HMO bs and then billing will not be th (1)

Joe_Dragon (2206452) | more than 3 years ago | (#36704506)

get rid the HMO bs and then billing will not be the fall point for people who don't want there real name listed.

Re:Shocked, shocked I tell you! (0)

Anonymous Coward | more than 3 years ago | (#36704868)

"For instance, my last employer had a case where a celebrity's wife came in for Labor & Delivery. The hospital admitted her under a pseudonym, and only her direct caregivers knew the true identity. An audit trail and special VIP protections were placed on her record, so that staff had to electronically "sign" and state a reason why they needed access to her chart if they weren't in the direct care group." Nice to see your hospital is treating everyone equally, you know like the law says they are supposed to... This happened not because she was a person who deserved to keep her medical records private but because she was famous. Exactly why was she given special treatment?

sounds like sound risk management to me. (2)

KingAlanI (1270538) | more than 3 years ago | (#36708818)

Because she's famous, it increased the risk that people would access the records unnecessarily, and this behavior seemed like a logical response to manage that risk.

Re:Shocked, shocked I tell you! (2)

david_thornley (598059) | more than 3 years ago | (#36705308)

In a civilized country, there wouldn't have to be any billing for something like a delivery.

Re:Shocked, shocked I tell you! (0)

Anonymous Coward | more than 3 years ago | (#36705602)

you can choose not to get pregnant. why shouldn't you have to pay for burdening the planet with yet another useless human?

Re:Shocked, shocked I tell you! (1)

swalve (1980968) | more than 3 years ago | (#36707978)

In a more civilized country, you pay for the services you consume.

Re:Shocked, shocked I tell you! (0)

Anonymous Coward | more than 3 years ago | (#36722292)

And if you can't pay, you should just die in the street. All properly civilized.

Re:Shocked, shocked I tell you! (0)

Anonymous Coward | more than 3 years ago | (#36707332)

The real benefit is in the availability of information (just like with the internet and porn, yay!): the record is available to the emergency medics and the radiographers and the gynae people and their regular doctor, and that is good for medical decisions.

Locks and logs work so far, but ultimately this is a Layer 8 problem, as your anecdote shows. The problem I see with logs is that a minor offence becomes graven in stone, and it's hard to use it as a management stick: "Hey Bob, get that off your screen rightgoddamnnow" is something that I think is making way for formal disciplinaries.

Re:Shocked, shocked I tell you! (1)

girlintraining (1395911) | more than 3 years ago | (#36705562)

Obvious potential for abuse, so all of the protections have to be post hoc.

In every other case, the employee would simply be fired and have to find a new line of work. Fining the employer for an infrastructure that is working as designed only increases medical costs for everyone. Worse, I highly doubt this fine would have been levied if it had been a homeless person instead of a celebrity. Effectively we're paying for celebrity ego here.

And so... (1)

Anonymous Coward | more than 3 years ago | (#36704118)

This is why I'm against surveillance as a means to deal with crime.

I don't necessarily have a problem with surveillance in and of itself; but I do have a problem when humans are the ones in control of it. You simply cannot trust that everybody who has access to information will not abuse it.

Give people the opportunity to take advantage of other people, and it will happen.

Re:And so... (1)

swalve (1980968) | more than 3 years ago | (#36707988)

The only way to stop crime is to stop people from wanting to do it, and increasing the chances they get caught is one of the ways to do that. You don't want a society of people who never have had to make "should I, shouldn't I" decisions. They will all run into traffic the second the styrofoam fence develops a hole.

Why only celebrities? (0)

Anonymous Coward | more than 3 years ago | (#36704154)

These are the ones that make the news and that are made obvious to investigators when confidential information escapes into public reporting. It implies it's just as easy to get the records of non-celebrities if people had enough reason to be interested.

HIPAA is a travesty (4, Insightful)

Tony Isaac (1301187) | more than 3 years ago | (#36704190)

I work in the electronic medical records industry, and I can tell you that HIPAA protects your privacy about as well as those multi-page "privacy policy" letters you get from your bank and other businesses...you know, the ones that tell you, in lots of fine print, that they will do whatever they want with your information.

Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes. It also costs hospitals and doctors tons of money to comply (I know, my company is the recipient of some of that money)...and that in turn drives up the cost of health care.

HIPAA may have been created with good intentions in mind, but it is a travesty and can't be repealed fast enough!

Re:HIPAA is a travesty (0)

Anonymous Coward | more than 3 years ago | (#36704310)

Amen! It's just a law that can be used to punish people if stuff is released. It may cause some people to be more careful, which is good, but it won't provide protection from hacking into medical databases, and electronic medical records are about as secure as your computer is. (Ever have a virus?)

Re:HIPAA is a travesty (0)

Anonymous Coward | more than 3 years ago | (#36708518)

Nope, never had a virus. I switched to Linux before I connected to the Internet.

Re:HIPAA is a travesty (1)

flimflammer (956759) | more than 3 years ago | (#36704350)

Not saying you're bullshitting or anything but my father was hospitalized last year over a severe infection in his hand. He was so sick from it that he was out of it and unable to sign any paperwork. The doctors who saw him were very up front with me about their thoughts and fears about his health.

Are you suggesting that they violated HIPAA by telling me? I was under the impression HIPAA was more about sharing information with non relatives, or to stop those who can access the information from accessing it without a valid reason.

Re:HIPAA is a travesty (3, Insightful)

Tony Isaac (1301187) | more than 3 years ago | (#36704396)

You are correct, that is what HIPAA was supposed to be about. You are fortunate.

The problem is, it all depends on how the specific doctor or hospital interprets their obligations under HIPAA. Some of them are reasonable, but others grossly exaggerate the level of privacy required by the law.

In our business, we often have to read document after document just to try to understand the requirements. If WE have to do that, how in the world can a small doctor's office apply the law correctly? The truth is, they often make their best guess and hope the lawyers don't come after them.

Re:HIPAA is a travesty (1)

Anonymous Coward | more than 3 years ago | (#36705058)

Regulation is intended to eliminate small and efficient competitors, see raw milk, beef industry, heck, even freaking barbers are regulated and need to study to get licensed.

Well, barbers are more about exclusion of newcomers in terms of labor (i.e. unions), in comparison of the other examples where big business is putting hurdles for small businesses using the power of the state. Nevertheless, both have the goal of raising the bar to entry.

Re:HIPAA is a travesty (1)

pete6677 (681676) | more than 3 years ago | (#36707686)

HIPAA does nothing more than create mountains of paperwork (or electronic forms). It makes no real difference in privacy in any meaningful way, but it sure does keep a lot of HIPAA consultants employed.

Re:HIPAA is a travesty (1)

android.dreamer (1948792) | more than 3 years ago | (#36709998)

Look, let's hypothetically say you had the case above and it turned out your father had AIDS. I wouldn't want my kids to know that. "He's ill" should really be the only thing I would want my doctors to say.

Re:HIPAA is a travesty (0)

Anonymous Coward | more than 3 years ago | (#36706782)

It seems to me that you are confusing the HIPAA Privacy Rule and the Security Rule. The consent forms and notice of privacy practices as well as the rules on disclosure are all part of the Privacy Rule. The HIPAA Security Rule, which you should be familiar with because you state that you work in the EMR industry is what is designed to protect your information and subsequently, what the case in TFA is about. The HIPAA Security Rule includes requirements for Administrative, Technical, and Physical safeguards designed to protect your information from unauthorized disclosure. These includes requirements for things like passwords, logging, auditing, information security policies, etc. and very much help to protect your health information.

Perhaps you are not old enough to remember how things were prior to HIPAA. There were no transaction standards, so insurance claims, prescriptions, and referrals were fraught with errors and omissions thus putting people's health at risk. Physicians commonly released information to the media, employers, or anyone who asked regardless of the privacy concerns of the patient.

Is it difficult to maintain compliance? Yes. Especially for small practices, but to suggest that the only thing HIPAA does is make life difficult and drive up costs is misleading at best.

Re:HIPAA is a travesty (0)

Anonymous Coward | more than 3 years ago | (#36708342)

Sure, HIPAA requires doctors and hospitals to get your consent before sharing your information with others. That's why, when you see a doctor these days, you have to first sign that consent form! If you don't sign, you get sub-standard care, or have insurance hassles...basically, you have to sign. So tell me how THAT helps anything!

What HIPAA DOES do well, is make it difficult for spouses (and other caring family members or friends) to find out what's going on with their loved ones when disaster strikes.

Re:HIPAA is a travesty (0)

Anonymous Coward | more than 3 years ago | (#36717724)

It's not all bad. I have a relative who was out of work due to a back injury. A coworker didnt believe him and asked his wife (who worked at a doctors office) to get some info on him. My relative found out and sued. The lady lost her job and he got a nice settlement.

Why not jail for the offenders? (1)

schwit1 (797399) | more than 3 years ago | (#36704458)

The article states that the employees had no reason for accessing the records. How about puerile curiosity? What they didn't have was a legitimate reason.

The hospital says it needs to conduct “regular and robust” trainings for employees that access sensitive information. What a load of crap. This is the same bullshit response police departments give when cops steal your camera when you record them. Both parties knew what they were doing was wrong BEFORE they did it. The answer is serious jail time.

Re:Why not jail for the offenders? (0)

Anonymous Coward | more than 3 years ago | (#36704736)

There can be jail time if it is proven that the person did it (viewed the EMR) knowing that it was a violation. Of the few cases that have gone to court, the people who got the jail time used the EMR data for ID theft.

But will they pay? (1)

rbanzai (596355) | more than 3 years ago | (#36705078)

We read about fines like this all the time but there is no follow-up to see if they are ever paid. It's similar to the drug busts where law enforcement agencies assign an arbitrary massively inflated value to the confiscated material to make themselves look good. Agencies declare these fines so they look good in the press, but are they ever actually paid? In full? On time?

Or as they say in the hospital... (1)

tyler_larson (558763) | more than 3 years ago | (#36705426)

Knock knock!
Who's there?
HIPAA.
HIPAA who?
Sorry, I'm not allowed to say.

A relatively simple solution to this (0)

Anonymous Coward | more than 3 years ago | (#36706332)

It should be made a requirement for all electronic medical records systems that the identity of every person that views a record (along with a timestamp) should become part of the record. If everyone knows that they cannot anonymously view a record, they will very quickly stop looking at things they shouldn't.

There's an easy solution. (0)

Anonymous Coward | more than 3 years ago | (#36707316)

Why not just refuse to treat or admit celebrity patients?
They're more trouble than they're worth.

Re:There's an easy solution. (1)

MLease (652529) | more than 3 years ago | (#36709560)

Hm. So being a celebrity is an offense potentially punishable by death now?

-Mike

I hate to break this to you, but (1)

Whuffo (1043790) | more than 3 years ago | (#36710632)

Much of the access to these protected records come from minimum-wage (or slightly better) data entry workers. There's a huge amount of paperwork generated for each hospital patient and they handle it all.

Imagine if you're one of these people; working long days at a keyboard for barely enough to live on - and someone offers you a significant "bonus" for giving them a copy of this or that file.

This goes on every day at your hospital, your motor vehicle licensing and driver's licensing department, etc. There's a booming market for private information; lawyers, collection agents, skip tracers, etc, etc. Each of them cultivates their own sources of inside information and pays them well.

Security theater doesn't only go on at the airport...

The hospitals don't fear the fine... (0)

Anonymous Coward | more than 3 years ago | (#36726686)

With HIPAA, the actual civil fines are pretty trivial. In fact, if memory serves (from back in '02, when I worked at a hospital) it was less than $100/violation.

But just one violation is enough to get an inspection. HIPAA auditors can come in and go over the entire facility with a fine-toothed comb. And they will assess a fine for Every Single Thing. There used to be some limits on how high the total fines can be, but those caps have been raised. Even so, a few million isn't really a horrific deterrent, especially with corporate entities which are remarkably adept at cushioning themselves from this sort of thing.

The big issue, though, is the inspection itself. Even if an inspection does not yield a single violation, or if no fines come of an inspection, the entire facility is turned on its head. Every detail, every business process, can come under scrutiny. That threat, in my experience, had a far greater deterrent than the fine could manage.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?